Hi Thomas,
what changed since the time when it worked? Still the same Knot version?
Daniel
On 4/22/22 23:12, Thomas wrote:
Hi,
for the transition of a TLD I need to import the current providers KSK into my zone. I
use the "keymgr import-pub" command for this. I have done that a few times in
the past and it worked very well.
I have now installed the most current version of Knot (3.0.10) and did the same
procedure. But after importing the KSK the zone can't be signed anymore. It seems like
Knot doesn't recognize that this
imported key is a "public-only" key. Knot throws an error and complains that
the private key could not be loaded.
The zone's keys (.example) before the import of the KSK:
# keymgr example list
0b94a3f9fef3ae531fc5ee1334ddd2876db7cd9a ksk=yes zsk=no tag=12595 algorithm=7 size=2048
public-only=no pre-active=0 publish=1650495677 ready=1650495677 active=1650659051
retire-active=0 retire=0
post-active=0 revoke=0 remove=0
13cc082655ddf7160787ef945ad7edb6406bb70e ksk=no zsk=yes tag=05477 algorithm=7 size=1024
public-only=no pre-active=0 publish=1650495677 ready=0 active=1650495677 retire-active=0
retire=0
post-active=0 revoke=0 remove=0
Imported the KSK with the following command:
# keymgr example import-pub /etc/knot/public.key
2c135e77b7f48475a837ad0d28a9459f0e7ce621
OK
The zone's keys (.example) after the import of the KSK:
# keymgr example list
0b94a3f9fef3ae531fc5ee1334ddd2876db7cd9a ksk=yes zsk=no tag=12595 algorithm=7 size=2048
public-only=no pre-active=0 publish=1650495677 ready=1650495677 active=1650659051
retire-active=0 retire=0
post-active=0 revoke=0 remove=0
13cc082655ddf7160787ef945ad7edb6406bb70e ksk=no zsk=yes tag=05477 algorithm=7 size=1024
public-only=no pre-active=0 publish=1650495677 ready=0 active=1650495677 retire-active=0
retire=0
post-active=0 revoke=0 remove=0
2c135e77b7f48475a837ad0d28a9459f0e7ce621 ksk=yes zsk=no tag=35421 algorithm=7 size=2048
public-only=yes pre-active=0 publish=1650660072 ready=0 active=0 retire-active=0 retire=0
post-active=0
revoke=0 remove=0
The imported key (tag 35421) has the flag "public-only=yes", as expected.
But when I now sign the zone, the log shows this errors:
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] control, received command
'zone-sign'
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, dropping previous
signatures, re-signing zone
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key, tag 12595, algorithm
RSASHA1_NSEC3_SHA1, KSK, public, active
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key, tag 35421, algorithm
RSASHA1_NSEC3_SHA1, KSK, public, active+
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key, tag 5477, algorithm
RSASHA1_NSEC3_SHA1, public, active
Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] DNSSEC, failed to load private
keys (not exists)
Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] DNSSEC, failed to load keys (not
exists)
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, next signing at
2022-04-22T21:43:24+0000
Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] zone event 'DNSSEC
re-sign' failed (not exists)
The imported key should not have the "active" flag:
info: [example.] DNSSEC, key, tag 35421, algorithm RSASHA1_NSEC3_SHA1, KSK, public,
active+
It seems to me that the imported key is not seen as a "public-only" key anymore
and therefore Knot is looking for the corresponding private key, which of course fails.
I attached an strace output, with the signing operation. But that doesn't seem to be
helpful because the signing command itself doesn't fail.
Thanks,
Thomas
--